News Feed
Sections




News Archive
Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

David Müller:
Why URL validation with filter_var might not be a good idea
September 20, 2012 @ 08:09:31

David Müller has a new post to his site today showing why validating URLs with filter_var is a good thing for the security of your application.

Since PHP 5.2 brought us the filter_var function, the time of such [regular expressions-based] monsters was over. [With] the simple, yet effective syntax [and] with a third parameter, filter flags can be passed, [...] 4 flags are available [for URL filtering].

He shows how to use it to filter out a simple XSS issue (a "script" tag in the URL) and some examples of issues that the filter_var function doesn't prevent - like injection of other schemes (like "php://" or "javascript://"). He recommends adding a wrapper around the method to check for the correct scheme (ex. "http" or "https" for URLs) and reminds you that filter_var is not multibyte capable.

0 comments voice your opinion now!
filtervar url validation security filter input


blog comments powered by Disqus

Similar Posts

Alison Gianotto: Check User-Submitted URLs for Malware and Phishing in Your Application

Pierre-Alain Joye's Blog: PHP Security Conference in Paris, 2007/01/29

Paul Jones' Blog: Sanitation with PHP filter_var()

Adam Pullen's Blog: Execution Filters in Symfony

Zend Developer Zone: PHP Abstract Episode 1 - PHP Secuity Tips


Community Events

Don't see your event here?
Let us know!


development api introduction unittest conference laravel video psr7 language podcast library extension laravel5 opinion series interview release community voicesoftheelephpant framework

All content copyright, 2015 PHPDeveloper.org :: info@phpdeveloper.org - Powered by the Solar PHP Framework